We have a google cloud storage bucket that we want to use for storing sensitive data. As per the documentation, we are trying to use uniform bucket-level access. The permissions tab shows a number of service accounts having access to the bucket, such as container registry, cloud functions, etc. Access from these service accounts cannot be disabled as the permissions are inherited.

The concern with leaving access from these service accounts in place would be:

• Existing service accounts may provide access to the bucket data, through functionality provided elsewhere. For example, any cloud functions using the default cloud functions service account would need to tracked and audited.
• Newly added service accounts may be created in future without being aware of the sensitivity of the data stored in the service bucket.

Is there any way to prevent access from these service accounts? There are deny level policies, but it's unclear if they could be used to prevent this access, or if such an approach would recommended.